AFFORDABLE CARE ACT COMPLIANCE VALIDATION SYSTEM: †SECURITY AND TESTING RISKS
Report issued on May 16, 2016
Highlights of Reference Number:† 2016-23-040 to the Internal Revenue Service Chief Technology Officer and Director, Services and Enforcement Affordable Care Act Office.
IMPACT ON TAXPAYERS
Starting with 2014 individual income tax returns, the Affordable Care Act (ACA) requires taxpayers to report that they have qualifying health care coverage, are eligible for a health coverage exemption, or make a Shared Responsibility Payment.† The ACA also created the Exchanges, i.e., Federal and State, from which individuals can purchase health plans and, if eligible, obtain an advance payment of the Premium Tax Credit to help pay premiums. †The IRS developed the ACA Compliance Validation System (ACV) to support post-filing compliance of the Premium Tax Credit and the Shared Responsibility Payment.
WHY TIGTA DID THE AUDIT
TIGTA initiated this audit to evaluate the IRSís responsibility in fulfilling certain ACA requirements for taxpayers receiving an advance payment of the Premium Tax Credit.† The overall objective was to determine whether the IRS adequately developed and tested the ACV. †Specifically, TIGTA evaluated policies, procedures, and processes for developing and testing the ACV that included functional requirements; changes; project and risk management; and performance, functional, and security testing.
WHAT TIGTA FOUND
The IRS successfully tested the functionality and security of the ACV prior to placing the system into production.† In addition, the system was placed into production on September 10, 2015, prior to the mandatory due date of September 27, 2015.
The ACV project team followed system development procedures to identify functional requirements and design the first release of the ACV.† By utilizing lessons learned from previous system development projects, the ACV project team was able to build the ACV and complete performance, integration, and release-level testing on schedule.
Following release-level testing, the IRS properly assessed the security of the ACV.† The Cybersecurity organization provided all required documents and security testing results, including the identified security risks for the authorizing official to make an informed decision authorizing the system to operate.
While the security testing met all applicable requirements, TIGTA found examples of inaccurate security control descriptions in 29 (14.4 percent) of 201 controls in the ACA System Security Plan, a key security document.† The errors TIGTA found did not cause any applicable security controls to be excluded from testing and did not affect the authorization decision to place the system into operation.† During the audit, the Cybersecurity organization corrected the errors and updated the ACA System Security Plan.
WHAT TIGTA RECOMMENDED
TIGTA made no recommendations in this report. †IRS officials reviewed the draft report and agreed with the facts presented.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number ††/† 202-622-6500
E-mail Address †/† TIGTACommunications@tigta.treas.gov
Website†††††† ††††††/† https://www.treasury.gov/tigta